Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(500)

Issue 7748022: Protect sensistive chrome: and chrome-extension: schemes as not being able to be manipulated by b... (Closed)

Created:
9 years, 4 months ago by Tom Sepez
Modified:
9 years, 3 months ago
CC:
chromium-reviews, darin-cc_chromium.org, brettw-cc_chromium.org, Paweł Hajdan Jr.
Visibility:
Public.

Description

Protect sensistive chrome: and chrome-extension: schemes as not being able to be manipulated by bookmarklets and javascript: URLs typed into the omnibox. BUG=93498 Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=98849

Patch Set 1 #

Total comments: 1

Patch Set 2 : '' #

Patch Set 3 : '' #

Patch Set 4 : '' #

Total comments: 2
Unified diffs Side-by-side diffs Delta from patch set Stats (+21 lines, -8 lines) Patch
M chrome/renderer/chrome_content_renderer_client.cc View 1 2 3 1 chunk +5 lines, -0 lines 0 comments Download
M content/browser/renderer_host/resource_dispatcher_host_uitest.cc View 1 2 3 2 chunks +16 lines, -8 lines 2 comments Download

Messages

Total messages: 22 (0 generated)
Tom Sepez
Chrome side CL for protecting chrome:// urls.
9 years, 4 months ago (2011-08-25 18:20:49 UTC) #1
abarth-chromium
erikkay should see this CL.
9 years, 4 months ago (2011-08-25 18:25:48 UTC) #2
abarth-chromium
Code change LGTM, assuming Erik is ok with the policy.
9 years, 4 months ago (2011-08-25 18:26:59 UTC) #3
Mihai Parparita -not on Chrome
http://codereview.chromium.org/7748022/diff/1/chrome/renderer/chrome_content_renderer_client.cc File chrome/renderer/chrome_content_renderer_client.cc (right): http://codereview.chromium.org/7748022/diff/1/chrome/renderer/chrome_content_renderer_client.cc#newcode215 chrome/renderer/chrome_content_renderer_client.cc:215: extension_scheme); This also includes packaged apps, users might expect ...
9 years, 4 months ago (2011-08-25 18:30:56 UTC) #4
Tom Sepez
Ok. Erik suggested this on http://code.google.com/p/chromium/issues/detail?id=93498 comment #6. I'm happy to do this either way. ...
9 years, 4 months ago (2011-08-25 18:34:11 UTC) #5
Tom Sepez
Adding Mihai as cc. See previous comment.
9 years, 4 months ago (2011-08-25 18:46:48 UTC) #6
Tom Sepez
PS3 does chrome:// but not extensions.
9 years, 4 months ago (2011-08-25 19:24:59 UTC) #7
Tom Sepez
The failures in CrossSiteNavigationErrorPage test are real. When there is such an error, RenderView::LoadNavigationErrorPage() loads ...
9 years, 4 months ago (2011-08-25 20:49:35 UTC) #8
Tom Sepez
Add chrome://newtab to the same list. Though there doesn't appear to be a test for ...
9 years, 4 months ago (2011-08-25 21:52:16 UTC) #9
Mihai Parparita -not on Chrome
On Thu, Aug 25, 2011 at 2:52 PM, <tsepez@chromium.org> wrote: > Might be desirable to ...
9 years, 4 months ago (2011-08-26 01:12:44 UTC) #10
tsepez (do not use)
I'd expect that clicking on a bookmarklet that navigates somewhere from the NTP is a ...
9 years, 4 months ago (2011-08-26 16:54:11 UTC) #11
cevans
On Fri, Aug 26, 2011 at 9:54 AM, Thomas Sepez <tsepez@google.com> wrote: > I'd expect ...
9 years, 4 months ago (2011-08-26 16:57:17 UTC) #12
tsepez (do not use)
APIs aside, it has the list of places you've been ... On Fri, Aug 26, ...
9 years, 4 months ago (2011-08-26 16:58:34 UTC) #13
cevans
On Fri, Aug 26, 2011 at 9:58 AM, Thomas Sepez <tsepez@google.com> wrote: > APIs aside, ...
9 years, 4 months ago (2011-08-26 17:10:03 UTC) #14
tsepez (do not use)
re chrome:// - if we buy off on that, then I'm left with fixing an ...
9 years, 4 months ago (2011-08-26 17:33:44 UTC) #15
Erik does not do reviews
What UI do users see when they click on a bookmarklet when it's disabled?
9 years, 3 months ago (2011-08-29 18:03:20 UTC) #16
Tom Sepez
Request is silently ignored.
9 years, 3 months ago (2011-08-29 18:10:23 UTC) #17
Mihai Parparita -not on Chrome
On 2011/08/29 18:10:23, Tom Sepez wrote: > Request is silently ignored. Is there still a ...
9 years, 3 months ago (2011-08-29 20:10:28 UTC) #18
abarth-chromium
On Mon, Aug 29, 2011 at 1:10 PM, <mihaip@chromium.org> wrote: > On 2011/08/29 18:10:23, Tom ...
9 years, 3 months ago (2011-08-29 20:16:45 UTC) #19
Tom Sepez
Adding john and brett for review of RDH_uitest.cc
9 years, 3 months ago (2011-08-29 23:07:15 UTC) #20
brettw
I'll defer my review to creis (LGTM to make the commit bot happy for owners)
9 years, 3 months ago (2011-08-30 06:19:59 UTC) #21
Charlie Reis
9 years, 3 months ago (2011-08-30 16:55:59 UTC) #22
LGTM

http://codereview.chromium.org/7748022/diff/11001/content/browser/renderer_ho...
File content/browser/renderer_host/resource_dispatcher_host_uitest.cc (right):

http://codereview.chromium.org/7748022/diff/11001/content/browser/renderer_ho...
content/browser/renderer_host/resource_dispatcher_host_uitest.cc:364: // kick
off the navigation, and wait to see that the tab loads.
This ExecuteAndExtractBool approach looks great.  We don't even need the "We
would like to..." sentence, since that was just one way to get the renderer to
initiate the navigation, and your approach works equally well.

http://codereview.chromium.org/7748022/diff/11001/content/browser/renderer_ho...
content/browser/renderer_host/resource_dispatcher_host_uitest.cc:372:
EXPECT_TRUE(WaitUntilJavaScriptCondition(
I'm a little concerned about this wait being flaky, but I'm not sure what would
be better.

Powered by Google App Engine
This is Rietveld 408576698